如何使用vnet和ZFS配置FreeBSD Jail
时间:2019-11-20 08:53:44 来源:igfitidea点击:
FreeBSD Jail是操作系统级的虚拟化技术,用于对FreeBSD进行分区。
FreeBSD Jail拥有自己的root用户和访问权限。
它可以使用虚拟化网络子系统或者共享现有网络。
从FreeBSD 4.x开始引入了Jails。
如何使用/etc/jail.conf创建FreeBSD Jail?
如何使用vnet安装和配置FreeBSD Jail?
配置/编译vnet内核
您必须编译FreeBSD内核。需要启用VIMAGE功能。
复制内核配置:
$ sudo cp -v /usr/src/share/examples/jails/VIMAGE /usr/src/sys/amd64/conf/VIMAGE $ cd /usr/src/
编译:
$ sudo make KERNCONF=VIMAGE kernel
可以使用-j选项表示编译线程数(使用几个CPU核心编译):
$ sudo make -j 16 KERNCONF=VIMAGE kernel
必须重启FreeBSD服务器:
$ sudo reboot
检查新的内核版本:
$ uname -v
安装所需的工具:
$ sudo cp -v /usr/src/share/examples/jails/{jib,jng} /usr/sbin/
为Jail创建一个zfs数据集
使用zpool命令查看zfs的列表:
# zpool list
输出示例:
NAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOT zroot 21.8T 68.7G 21.7T - - 0% 0% 1.00x ONLINE -
执行以下zfs命令,将zroot池中的文件系统挂载到/jails中:
# zfs create -o mountpoint=/jails zroot/jails
接下来创建一个zfs数据集:
# zfs create zroot/jails/fullbasejail
通过访问此页面 https://download.freebsd.org/ftp/releases/amd64/11.2-RELEASE/。
下载FreeBSD的基本文件,以及其他你想放到Jail中的文件。
这里我们使用wget命令直接获取:
# cd /tmp # wget https://download.freebsd.org/ftp/releases/amd64/11.2-RELEASE/base.txz # wget https://download.freebsd.org/ftp/releases/amd64/11.2-RELEASE/lib32.txz
解压刚下载的文件
# tar -zxvf /tmp/11.2-RELEASE/base.txz -C /jails/fullbasejail # tar -zxvf /tmp/11.2-RELEASE/lib32.txz -C /jails/fullbasejail
更新FreeBSD基本安装
执行freebsd-update命令:
# freebsd-update -b /jails/fullbasejail fetch install
和正常安装的系统索引进行比较:
# freebsd-update -b /jails/fullbasejail IDS
配置基础Jail
刚才配置了一个用于快速部署的基础Jail。
下次只要克隆basejail,就可以创建新的监狱:
# zfs snapshot zroot/jails/[email protected]
查看快照:
zfs list -t snapshot
最后,从zfs快照中创建一个新监狱rsnapshot:
# zfs send -R zroot/jails/[email protected] | zfs receive zroot/jails/rsnapshot
如何设置基本的Jail
Jail必须设置正确的时区,dns,主机名,ip等。
进入/jails/rsnapshot/目录进行操作:
# cd /jails/rsnapshot
创建一个新文件etc/resolv.conf,用于设置dns
# vi etc/resolv.conf
添加dns信息:
nameserver 192.168.2.254 nameserver 192.168.2.18
设置时区:
# ln -v usr/share/zoneinfo/Asia/Shanghai etc/localtime
设置rc.conf:
# vi etc/rc.conf
设置示例:
# jail hostname # host_hostname="rsnapshot" # jail ip address and routing # ifconfig_ng0_rsnapshot="inet 192.168.2.30 netmask 255.255.255.0" defaultrouter="192.168.2.254" # Start or stop services # cron_flags="$cron_flags -J 15" sendmail_enable="NONE" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" syslogd_flags="-c -ss" ipv6_activate_all_interfaces="NO" sshd_enable="YES"
如何在主机上配置jail.conf
创建或者编辑/etc/jail.conf:
# vi /etc/jail.conf
配置参考:
rsnapshot {
host.hostname = "rsnapshot"; # hostname
path = "/jails/rsnapshot"; # root directory
exec.clean;
exec.system_user = "root";
exec.jail_user = "root";
# ##########################################################################
# netgraph/vnet config info
# ng0 is my vnet
# idb1 is my physical network interface connected to the LAN (use ifconfig)
# jng is located in /usr/sbin/
# rsnapshot is my jail name
# ##########################################################################
vnet;
vnet.interface = "ng0_rsnapshot"; # vnet interface(s)
exec.prestart += "jng bridge rsnapshot igb1"; # bridge interface(s)
exec.poststop += "jng shutdown rsnapshot"; # destroy interface(s)
# Standard stuff
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.consolelog = "/var/log/jail_rsnapshot_console.log";
mount.devfs; #mount devfs
allow.raw_sockets; #allow ping-pong
devfs_ruleset="5"; #devfs ruleset for this jail
mount.devfs;
}
启用Jail服务
# sysrc jail_enable=YES
创建/etc/devfs.rules
# vi /etc/devfs.rules
添加下面内容,允许在Jail中访问/dev/tun
[devfsrules_jail_rsnapshot=5] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add path 'tun*' unhide add path zfs unhide
启动Jail服务
# service jail start # service jail status
如何登录Jail
查看正在运行的Jail:
# jls
通过编号或者名称登录Jail
# jexec 1 # jexec rsnapshot
使用pw命令为Jail添加新用户:
# pw useradd -n Hyman -G wheel -s /bin/tcsh -m -d /home/Hyman # passwd Hyman
更新或安装软件包
# pkg update && pkg upgrade # pkg install most
查看网络:
# ifconfig # sockstat -4 # ping -c 2 theitroad.local
